Wednesday, December 28, 2005
SOX Section 404 Backlash
Sarbanes-Oxley (SOX) has been law since July 2002 and the collapses and financial carnage created by Enron, Tyco International, WorldCom, Adelphia Communications, HealthSouth, and Cendant, may have lost their prominence in people’s minds. Bloomberg reports executives are becoming more vocal that SOX has become an overzealous exercise to contain and detect corporate corruption. Section 404 is the current battlefield.
"I would like to see it opened and revised. Sarbanes-Oxley has become extraordinarily expensive," said David Chavern, vice president of capital markets at the U.S. Chamber of Commerce in Washington, D.C. told Bloomberg.
The number of U.S. financial restatements climbed 28 percent over 2003 to 2004, prompted by SOX, according to the Huron Consulting Group. Office Depot CEO Steve Odland, told Bloomberg, "You have more independent eyes scrutinizing the decision making and the financial statements of the companies." Odland is also the chairman of the Business Roundtable’s corporate governance task force.
Several changes have come about as a result of SOX. The New York Stock Exchange requires that boards have a majority of independent directors now. The year 2001 saw 61 percent of boards with independent directors, compared with 89 percent in 2005, according to the National Association of Corporate Directors. Bloomberg reports that only three, of the eight directors of the bankrupt commodities exchange Refco, were independent.
posted by Brian Moran @ 9:28 AM
Friday, December 23, 2005
Lay, Skilling Stand Trial as Enron-Inspired Rules Face Backlash
Dec. 23 (Bloomberg) -- The judge who gave Bernard Ebbers 25 years in prison for committing the biggest corporate fraud in U.S. history realized the former head of WorldCom Inc. would probably die there.
"This sentence is likely to be a life sentence," U.S. District Court Judge Barbara Jones said in July 2005 after handing Ebbers, 63, one of the longest prison terms ever in a corporate corruption case.
Stiffer penalties and the Sarbanes-Oxley Act, which were spurred by the 2001 collapse of Enron Corp., have deterred corporate wrongdoing, prosecutors say. More than four years later, as former top Enron executives prepare to stand trial in January, a growing number of executives say the fight against corporate corruption has gone too far and overzealous prosecutors must be reeled in. The accounting-controls provision of Sarbanes- Oxley is the biggest battleground.
"I would like to see it reopened and revised," says David Chavern, vice president of capital markets at the Washington- based U.S. Chamber of Commerce. "Sarbanes-Oxley has become extraordinarily expensive."
posted by Brian Moran @ 10:16 AM
Wednesday, December 21, 2005
The Changing Role of the CFO
The role of the CFO has undergone significant and dramatic change since the early 1980s, with some of the biggest changes taking place in the last decade. Businesses have grappled with a range of developments in the economic and regulatory environments since the late 1990s, including:
•Technology investment. In the run-up to Y2K (the year 2000), companies invested heavily in preparing their IT systems—many opting for enterprise resource planning (ERP) systems to ensure a smooth date-change transition.
•The brick wall. The bursting of the dot-com bubble, in combination with the events of September 11, put the brakes on the global economy in 2001. Businesses were forced to squeeze as much as they could from their past investments, with many eschewing growth initiatives in favor of cost-cutting.
•Brighter skies, but more regulations. In the most recent business cycle, growth and economic optimism have replaced retrenchment. Yet the emergence of new regulations such as Sarbanes-Oxley and Basel II and their attendant compliance costs has kept cost containment on the front burner, while putting pressure on companies to implement more effective internal controls and corporate governance.
posted by Brian Moran @ 9:11 AM
Tuesday, December 20, 2005
who should lead compliance?
Regulatory compliance is an increasingly visible, data-intensive, and costly management function that requires collaboration among business units, IT, and finance functions.
U.S. companies have had to comply with international trade, federal, and state regulatory requirements for generations. But the combination of new regulations such as the Sarbanes-Oxley Act of 2002 and closer scrutiny from investors and boards of directors have made complying with regulation a more costly, higher-profile activity for companies — and one that poses substantial downside risk to companies and to their senior executives.
Advances in information technology and in the interdependencies among companies have made computerized information about business activities a primary source for demonstrating compliance with government regulation. As a result, regulatory compliance is an increasingly visible, data-intensive, and costly management function that requires collaboration among business units, IT, and finance functions.
posted by Brian Moran @ 8:38 AM
Monday, December 19, 2005
Sarbox compliance costs to fall 40%
The costs of complying with Section 404 of the Sarbanes-Oxley Act are expected to drop by 40% in the second year under the new rules, according to a survey.
A sample of the Fortune 1000 companies by consulting firm CRA International, undertaken on behalf of the Big Four, showed that costs associated with meeting the regulations on internal control the second time around will be much smaller for both larger and smaller listed companies.
Reduced documentation is cited as the major reason for the fall although increased efficiency in internal control and a change in remediation efforts has also helped, according to CRA.
posted by Brian Moran @ 8:57 AM
Friday, December 16, 2005
SEC suits could point the way for Sarbanes-Oxley challenges
As corporate critics of the Sarbanes-Oxley Act weigh whether to pursue a partial easing of the law's accounting requirements through a court challenge, two recent lawsuits filed against the Securities and Exchange Commission (SEC) could serve as models.
Sarbanes-Oxley, passed by Congress in 2002 to boost corporate governance after accounting scandals at WorldCom and Enron, has become a thorn in the side of companies straining to comply with the law's mandate for new internal financial controls. While the SEC has signaled a willingness to consider industry concerns as it implements the law, conservative and corporate opponents of the law may not be willing to wait for the agency to change its ways.
Court challenges to Sarbanes-Oxley will "absolutely" be mounted in 2006, said Mallory Factor, president and CEO of the Free Enterprise Fund. "I'm highly confident. … (The law) puts a criminality on risk-taking, hurts our entrepreneurial spirit, costs us jobs."
Many in the business world agree. Rep. Tom Feeney (R-Fla.), coordinator of a bipartisan Sarbanes-Oxley "listening tour," has heard the suggestion for a judicial remedy to the high cost of the law’s audit requirements, said Feeney spokesman Myal Greene.
posted by Brian Moran @ 10:56 AM
Thursday, December 15, 2005
SOX Effective in Identifying Financial Statement Fraud
From the conviction of former WorldCom CEO Bernie Ebbers to the acquittal of HealthSouth's Richard Scrushy, corporate fraud continues to make headlines. Four years after Enron's collapse, financial integrity remains a key issue for corporate America.
The 2005 Oversight Systems Report on Corporate Fraud surveys certified fraud examiners to report the trends, risks and major concerns that businesses face today. While most fraud examiners view Sarbanes-Oxley (SOX) as an effective tool in fraud identification, few think it will change the culture of business leaders.
Nearly two-thirds of respondents (65 percent) indicate that SOX has been somewhat or very effective in identifying incidences of financial-statement fraud. Only 19 percent of those surveyed found SOX to be ineffective or serve to prevent fraud identification.
Although respondents agree that SOX serves to identify fraudulent activity, they do not feel the recent cultural change among U.S. business leaders toward institutional integrity and fraud prevention in the wake of account scandals will stick. Only 17 percent feel there will be a shift among business leaders to institutional integrity and fraud prevention for the foreseeable future.
The remainder of respondents possess a more stark outlook, reporting that interest in such actions will fade in the next five years (39 percent); that vigilance has already begun to fade (32 percent); or that there has been no change among business leaders (12 percent).
"The findings of this survey foreshadow a real need for continued vigilance among executives toward institutional fraud," said Patrick Taylor, CEO of Oversight Systems. "SOX legislation and the intense focus on corporate scandals have helped battle this type of white-collar crime, but professionals seem to be worried that the C-suite might quickly lose interest in policing corporate fraud."
posted by Brian Moran @ 10:54 AM
Wednesday, December 14, 2005
Gartner Survey Shows Spending for Compliance and Corporate Governance to Account for 10-15 Percent of an Enterprise's 2006 IT Budget
Increased corporate spending for compliance and corporate governance is having a significant impact on IT budgets, according to Gartner, Inc. According to preliminary results from Gartner's 2005 Financial Compliance Management Survey, IT financial compliance management spending will increase to between 10 percent and 15 percent of IT budgets in 2006, up from less than 5 percent in 2004.
In October and November 2005, Gartner sponsored a financial compliance management survey of 326 audit, finance and IT professionals in North America and Western Europe, who are knowledgeable of compliance practices and efforts within their companies and organizations. Preliminary results indicate that compliance initiatives, as defined by the Sarbanes-Oxley Act (SOX) in the United States and related regulatory mandates in other geographies, are diverting a large amount of new IT project discretionary resources to support corporate governance efforts.
"Projects that were not aligned with compliance and corporate governance were delayed or cancelled, and SOX efforts inhibited the purchase of large amounts of software related to building new technologies and deploying new projects," said French Caldwell, research vice president for Gartner. "However, by the second half of 2005, increased interest in IT solutions to ease the burden of compliance has begun to drive new spending."
posted by Brian Moran @ 2:54 PM
Tuesday, December 06, 2005
Challenges of Section 404 Compliance
Compliance with Section 404 of the Sarbanes-Oxley Act (SOX) is required in 2006. A report by the Public Company Accounting Oversight Board (PCAOB) states that both accounting firms and the public companies they audit will face "enormous challenges" this year as reported in CFO.com. This section of SOX requires that companies document their internal controls.
"It is clear to us that the internal control assessment and audit process has the potential to significantly improve the quality and reliability of financial reporting. At the same time, it is clear to us that the first round of internal control audits cost too much," PCAOB chairman William J. McDonough told CFO.com.
At the time of this writing, McDonough has stepped down as chairman and the Securities and Exchange Commission (SEC) is in the process of finding a replacement with national stature and accounting industry experience according to the Washington Post.
Staff with prior training and experience in designing, evaluating, and testing internal controls will be a challenge especially with the short time companies have to implement Section 404. CFO.com reported that, "These challenges were compounded in cases in which companies needed to make significant improvements in their internal control systems to make up for the deferred maintenance of those systems," as stated by the PCAOB.
posted by Brian Moran @ 9:37 AM
Monday, December 05, 2005
SEC reform to ease US reporting obligations
Foreign companies with New York share listings are set to be offered an easier route to ending expensive financial reporting obligations in the US.
Under existing US rules, even if a foreign company terminates its Wall Street listing it may have to continue filing accounts with the Securities and Exchange Commission indefinitely.
But next week the SEC is expected to propose a reform of the rules as an important way to help the US secure fresh listings by companies.
Both the New York Stock Exchange and the Nasdaq stock market are facing growing competition from London and Hong Kong.
European industry groups have been pressing for reform because the cost of a company's reporting obligations with the SEC has been increased dramatically by the 2002 Sarbanes-Oxley law, which requires statements in annual reports about the quality of internal controls against fraud.
The SEC does not want companies considering listings in the US to think they could be saddled with reporting obligations to the regulator forever.
posted by Brian Moran @ 9:11 AM
Friday, December 02, 2005
How to Learn to Love Sarbanes-Oxley
Dave Bowser, information systems security manager at Kennametal, found big benefits during the second year of his company’s compliance with the auditing rules.
Like most of you, I approached Sarbanes-Oxley compliance last year with a certain trepidation. Within many companies, there’s always resistance to change and fear of the unknown, and SOX fits those bills. Even in my own department, employees were a little apprehensive of what they perceived would be extra paperwork, more time required for approval, just more time to do everything. Outside the company, we worried about the auditors. Not because we worried we’d done something wrong; we simply didn’t know what they were looking for.
Despite our concerns, we survived year one of SOX compliance relatively unscathed. And here’s the best news: Contrary to popular opinion—that the addition of controls will inevitably slow you down—I see a strong correlation between efficiency and good controls. That’s right, for all the fretting over regulation, SOX compliance could be a good thing for information security.
Anyway, now it’s year two, and we’re applying what we’ve learned from the first go-round to make this year less stressful and more productive. Here’s what we’ve learned.
1 Refine your documentation.The biggest lesson we learned from year one was that documenting controls that are not crucial leads to an unnecessarily arduous audit process. To paraphrase a line from the movie Field of Dreams, If you document it, they will audit it. Don’t try to impress the auditors with how many controls you have. They don’t want to see that. They want to focus in depth on critical controls rather than in breadth on every single control. Don’t get academic and try to match up point-for-point with one of the IT Control Reference frameworks. You’ll kill yourself trying to document all those controls, and the auditors will be forced to consider all those controls as key to your business (and audit all of them).
Let’s be clear: I’m not saying you should arbitrarily reduce the number of controls—that’s not smart. And I’m not saying to discount those control frameworks. A lot of experience went into their development, and if you ignore the critical parts of those frameworks, the auditors will know. All I’m saying is to focus your documentation on the controls that are critical to your business, and then the auditors will follow your lead and zero in on what’s important.
Figuring out which controls are key, I admit, is a learning process. We went to independent third-party auditors for advice. I also happen to be an auditor, so I understand control environments. That helped. Tap people with experience from inside and outside your organization to determine the key controls.
2 Centralization is simplification.A smart thing we did was to centralize security administration. Say you have six business systems in six places, and a control on each of those business systems is user ID and password administration. If you haven’t centralized security administration, then that’s six different controls for the auditors to check. Centralize administration, document the control once, and it applies everywhere, as long as it’s processed in a single way by a single set of people (we found that this was especially important to the auditors). Suddenly, you’ve made your audit less painful and you’ve drastically reduced your total number of controls, thereby creating business efficiency. In year two, we’ll extend this by simply applying centralized administration to any new business systems that enter our scope.
3 To deal with acquisitions, bring down the hammer.Audits take a snapshot, but your business is a motion picture. It continues to change even after the auditors give you the thumbs up. So just when you thought you had everything in place, you realize that the scope of compliance has changed. Like many companies, we have grown by acquisition during the past year. And in our case the acquired companies had been privately held in the past. They had no previous experience with SOX. To deal with this, our approach is to extend our “SOX model” to the acquired company.
Be firm and consistent, and it will work. They’ve got very little reason to dislike it and we’ve got plenty of reasons to do it, number one being keeping our controls centralized and streamlined so audits go more smoothly. For example, one company had a business system that supported complex passwords—one of our controls—but in their system it wasn’t turned on. We persisted in having it turned on, and in the end we have a better overall control because of it.
4 Tie SOX success to paychecks.We use a performance planning and management process here, wherein we set performance objectives for each employee and meet throughout the year to check progress on them. How employees are doing can contribute to their paychecks. So it was relatively easy for me to include SOX-related activities in performance objectives. For example, I have an analyst in my department, and one of her duties is to perform certain periodic SOX analyses as documented in our IT general controls. Now those duties are part of her performance plan. So if those analyses don’t happen, or they’re late, incomplete or inaccurate, she knows it’s part of her job evaluation throughout the year.
By doing this, you not only keep your staff compliance-motivated but you’ll avoid questions from the auditors, who would frown upon late or incomplete documentation. The first thing they’d say is, You committed to semiannual analysis, but we see no evidence to support that you did that.
5 Keep in touch with auditors and peers.Yes, we’re starting year two of SOX compliance, but in a way the process is ongoing. We’ve tried to keep the relationship with the auditors going. If they’re in town, we’ll go to lunch and tell them about our progress. We ask them what they’re seeing out in the field and what are the trends to be aware of. I also like to pick the brains of other people. I’ll ask peers about their experiences. It doesn’t take long to do and you can learn really useful things by just asking.
6 Accept and absorb the up-front costs.Looking at it now, I think the cost of SOX compliance is front-loaded. A huge amount had to happen in year one, and it required a significant investment. But the opinion here, especially within risk management, audit and security, is that if we discount any dollars spent, we really believe SOX has improved the way we handle important issues like change control, security and operations.
But what about the expense, right? Even if it improved the company, was it worth it? I think that over time we’ll find it was well worth it. Some companies are trying to spend less up front, just making sure they’re compliant; they try to spread the expense out over time. Others are willing to make the required commitments sooner rather than later. We were the latter. We really wanted to be outstanding, so we made the investment in year one. And I think, going into year two, the cost curve will be dramatically different for managing IT controls.
7 Enjoy the efficiencies you create.In fact, I believe the efficiencies SOX helps us create will easily justify the cost we’ve put into SOX compliance. I see a strong correlation between efficiencies and SOX. It’s helping us run lean. It’s forcing us to review our processes and take out the waste. So, will we be SOX compliant? Yes, we believe so. We’ll also be far more efficient and effective, and, while technically that’s an ancillary benefit to SOX compliance, it’s the kind of benefit that I want to put front and center with our management.
Dave Bowser, information systems security manager at Kennametal, a $2 billion supplier of tooling, engineered components and advanced materials, in Latrobe, Pa., has 22 years of experience in IT, audit and security.
posted by Brian Moran @ 1:36 PM
Thursday, December 01, 2005
Companies need to alleviate the burden of daily compliance, writes a reader.
Don Durfee, the author of "The Top Spot" (October), is right that more CFOs are transitioning to CEO because of a renewed emphasis on shareholder value and corporate governance. But he's wrong in suggesting that Sarbanes-Oxley is not a significant factor — for CFOs, if not for the boards that tap them for the top position. After all, CFOs already share the risk with CEOs if their companies are not in compliance.
According to the 2005 Oversight Systems Financial Executive Report on Sarbanes-Oxley, 51 percent of nonaudit financial executives responded that they wanted to be CEO. Interestingly, we also asked internal audit directors if they wanted to be CFO, and only 31 percent of audit-related financial executives said they were interested in the top financial spot.
The implication is significant because it confirms the perception that Sarbox has a negative impact on the morale of the employees responsible for compliance. Companies need to find ways to alleviate the burden of daily compliance in order to reduce employee frustration and attrition and to keep good employees in the pipeline for senior positions, whether CFO or CEO.
Chief Executive Officer
Oversight Systems Inc.
posted by Brian Moran @ 8:56 AM